Just-In-Time Access (JIT)

KeeperPAM Just-In-Time Access and Zero Standing Privilege

Just-In-Time Access and Zero Standing Privilege

Introduction

KeeperPAM provides comprehensive just-in-time (JIT) access capabilities to help organizations achieve zero standing privilege (ZSP) across their entire IT infrastructure and endpoints. By implementing JIT access controls, organizations can significantly reduce their attack surface by ensuring that privileged access is only granted when needed, for the duration required, and with appropriate approvals.

Understanding JIT and ZSP

Just-In-Time (JIT) Access: Provides users with privileged access only at the moment they need it, for a limited time period, and often with approval workflows.

Zero Standing Privilege (ZSP): A security approach where users have no permanent privileged access to systems, eliminating the risk associated with compromised privileged accounts.

Use Cases

KeeperPAM offers JIT capabilities across multiple scenarios:

Just-in-Time Elevated Access to Infrastructure

Keeper's zero-trust privileged sessions can be established to any target with a single click from the web vault. When configured for JIT, elevated privileges are only granted for the duration of the session and automatically revoked upon session termination.

Supported Connection Protocols:

  • RDP (Remote Desktop Protocol)

  • SSH (Secure Shell)

  • VNC (Virtual Network Computing)

  • HTTP/HTTPS

  • Database connections (MySQL, PostgreSQL, SQL Server, Oracle, etc.)

How to Configure:

  1. In the KeeperPAM resource configuration, navigate to the "JIT" tab

  2. Enable just-in-time elevated access for the target resource

  3. Configure the elevation settings (Ephemeral account or Group/Role elevation)

  4. Update the configuration

Ephemeral Account Creation

KeeperPAM can create temporary accounts with appropriate privileges that exist only for the duration of a privileged session.

Key Features:

  • Automatic creation of temporary privileged accounts when sessions begin

  • Dynamic privilege assignment based on access requirements

  • Complete account removal when sessions terminate

  • No persistent privileged accounts to be compromised

  • Comprehensive logging of all account creation and removal activities

Benefits:

  • Eliminates attack vectors associated with standing privileged accounts

  • Prevents lateral movement using compromised credentials

  • Creates clean audit trails linking specific sessions to temporary accounts

  • Reduces administrative overhead of managing privileged accounts

The Keeper Gateway is responsible for creating a temporary account on the target using the selected account type.

Just-In-Time Ephemeral Account Creation during PAM Sessions

Keeper can create temporary accounts on any assigned target resource, such as:

  • Active Directory / LDAP User

  • Windows User

  • Linux User

  • MySQL User

  • PostgreSQL User

  • Microsoft Server SQL User

Group and Role Elevation

Role elevation can be assigned at the Group or Role level. For example, an AWS group or role can be assigned to the connecting user account for the duration of the session.

In the input field, provide Keeper with the identifier of the group or role to elevate during the connection. E.g. for Windows this might be “Administrators” and for AWS this would be the full ARN (e.g. arn:aws:iam::12345:role/Admin).

Just-In-Time Role Elevation during Privileged Sessions

Just-in-Time Elevated Access on Endpoints using PEDM

Keeper Privilege Manager extends JIT capabilities to end-user devices, allowing for precise privilege elevation for specific processes, applications, or tasks without granting full administrative access.

Key Features:

  • Process-level privilege management across Windows, macOS, and Linux

  • Policy-based elevation rules with granular controls

  • User-initiated elevation requests with approval workflows

  • Comprehensive auditing and reporting

How it Works:

  1. Users operate with standard, non-privileged accounts by default

  2. When administrative privileges are needed, users request elevation for specific tasks

  3. Based on policy, requests are auto-approved or routed for manual approval

  4. Elevated privileges are granted only for the specified process or time window

  5. Full audit trails capture all elevation activities

Just-In-Time Access with Keeper Privilege Manager

For more information see:

Time-Limited Access with Automated Credential Rotation

KeeperPAM provides time-bounded access to resources with automatic credential rotation.

Key Features:

  • Automated credential rotation on-demand or on a scheduled basis

  • Time-limited access window for authorized users

  • Integration with password rotation policies

  • Complete audit trail of credential changes

Security Benefits:

  • Ensures credentials are never re-used for future sessions

  • Protects against credential theft during access periods

  • Creates cryptographically verifiable access boundaries

  • Maintains compliance with credential rotation requirements

To provide time-limited access to a resource, open the resource from the vault and select Sharing. Add the user as a share recipient, and select Set Expiration.

Time-Limited Access

For more information see:

Workflow and Requests for Approval

The Workflow and Requests for Approval capabilities are Coming Soon

KeeperPAM includes flexible approval workflows for JIT access requests, ensuring proper oversight of privileged access.

Key Features:

  • Multi-level approval workflows

  • Time-based auto-approval or denial

  • Delegation of approval authority

  • Email and mobile notifications

  • Detailed justification requirements

  • Single-user mode (Check-in / Check-out)

  • MFA enforcement on access

Configuration Options:

  • Required approvers based on resource sensitivity

  • Approval timeouts and escalations

  • Working hours restrictions

  • Maximum session duration settings

  • User-specific approval requirements

Workflow and Requests for Approval

Implementation Best Practices

When implementing JIT access and ZSP with KeeperPAM:

  1. Start with critical systems: Begin your implementation with your most sensitive systems and infrastructure

  2. Define clear policies: Establish clear guidelines for when JIT access is required and who can approve it

  3. Educate users: Ensure users understand how to request elevated access when needed

  4. Monitor and adjust: Regularly review logs and adjust policies based on actual usage patterns

  5. Plan for emergencies: Establish break-glass procedures for critical situations where normal approval workflows may be too slow

Conclusion

KeeperPAM's comprehensive JIT and ZSP capabilities provide organizations with the tools needed to significantly reduce their privileged access attack surface. By implementing these capabilities across your infrastructure, you can ensure that privileged access is strictly controlled, properly approved, and thoroughly audited.

For more information on specific JIT use cases or implementation guidance, contact your Keeper Security account manager or email pam@keepersecurity.com.

PreviousSharing and Access ControlNextPassword Rotation

Last updated

Was this helpful?